Loading ...

Play interactive tourEdit tour

Linux Analysis Report phantom.x86

Overview

General Information

Sample Name:phantom.x86
Analysis ID:553477
MD5:8bb140fe0754eee2498279f9f1830368
SHA1:0146917808c967dd97899cd5259de170b67af87b
SHA256:217a622a111c0d13237c660259617cb1e31943d74a1767a933ddee8ae0b445ac
Tags:Mirai
Infos:

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "systemctl" command used for controlling the systemd system and service manager
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:553477
Start date:15.01.2022
Start time:00:34:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:phantom.x86
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal72.troj.evad.linX86@0/53@0/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing network information.

Process Tree

  • system is lnxubuntu20
  • systemd New Fork (PID: 5192, Parent: 1)
  • logrotate (PID: 5192, Parent: 1, MD5: ff9f6831debb63e53a31ff8057143af6) Arguments: /usr/sbin/logrotate /etc/logrotate.conf
    • gzip (PID: 5233, Parent: 5192, MD5: beef4e1f54ec90564d2acd57c0b0c897) Arguments: /bin/gzip
    • sh (PID: 5236, Parent: 5192, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "
      • sh New Fork (PID: 5237, Parent: 5236)
      • invoke-rc.d (PID: 5237, Parent: 5236, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: invoke-rc.d --quiet cups restart
        • runlevel (PID: 5238, Parent: 5237, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: /sbin/runlevel
        • systemctl (PID: 5239, Parent: 5237, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-enabled cups.service
        • ls (PID: 5242, Parent: 5237, MD5: e7793f15c2ff7e747b4bc7079f5cd4f7) Arguments: ls /etc/rc[S2345].d/S[0-9][0-9]cups
        • systemctl (PID: 5243, Parent: 5237, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active cups.service
    • gzip (PID: 5244, Parent: 5192, MD5: beef4e1f54ec90564d2acd57c0b0c897) Arguments: /bin/gzip
    • sh (PID: 5245, Parent: 5192, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog
      • sh New Fork (PID: 5246, Parent: 5245)
      • rsyslog-rotate (PID: 5246, Parent: 5245, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/lib/rsyslog/rsyslog-rotate
        • systemctl (PID: 5247, Parent: 5246, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl kill -s HUP rsyslog.service
  • systemd New Fork (PID: 5193, Parent: 1)
  • install (PID: 5193, Parent: 1, MD5: 55e2520049dc6a62e8c94732e36cdd54) Arguments: /usr/bin/install -d -o man -g man -m 0755 /var/cache/man
  • systemd New Fork (PID: 5232, Parent: 1)
  • find (PID: 5232, Parent: 1, MD5: b68ef002f84cc54dd472238ba7df80ab) Arguments: /usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete
  • systemd New Fork (PID: 5240, Parent: 1)
  • mandb (PID: 5240, Parent: 1, MD5: 1dda5ea0027ecf1c2db0f5a3de7e6941) Arguments: /usr/bin/mandb --quiet
  • cleanup

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: phantom.x86Virustotal: Detection: 37%Perma Link
    Source: phantom.x86ReversingLabs: Detection: 51%

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33648
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36286
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36286
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33704
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36312
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36312
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33722
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41818
    Source: TrafficSnort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:41548
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36410
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36410
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41848
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33818
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41912
    Source: TrafficSnort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:60834
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33874
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36490
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36490
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59728
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:41986
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59740
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33934
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42002
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59758
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36572
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36572
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59764
    Source: TrafficSnort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:41728
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33962
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59780
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42024
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59790
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36616
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36616
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33372
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33372
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42044
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:33994
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59804
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 216.67.33.87:23 -> 192.168.2.23:59238
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 216.67.33.87:23 -> 192.168.2.23:59238
    Source: TrafficSnort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:60976
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59826
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42076
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:34022
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42090
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59844
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33436
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33436
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36662
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36662
    Source: TrafficSnort IDS: 716 INFO TELNET access 167.88.133.103:23 -> 192.168.2.23:59864
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 220.182.10.28:23 -> 192.168.2.23:34068
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 58.58.179.87:23 -> 192.168.2.23:42130
    Source: TrafficSnort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:41850
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33488
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33488
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36714
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36714
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.148.130.171:23 -> 192.168.2.23:36328
    Source: TrafficSnort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:32906
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33542
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33542
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.159.150.5:23 -> 192.168.2.23:46088
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36774
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36774
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46018
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 216.67.33.87:23 -> 192.168.2.23:59422
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 216.67.33.87:23 -> 192.168.2.23:59422
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46046
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33614
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33614
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 60.168.155.103:23 -> 192.168.2.23:36852
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 60.168.155.103:23 -> 192.168.2.23:36852
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 59.10.149.168:23 -> 192.168.2.23:36846
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46080
    Source: TrafficSnort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:42032
    Source: TrafficSnort IDS: 716 INFO TELNET access 197.210.191.131:23 -> 192.168.2.23:36928
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46118
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33700
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33700
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46134
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.148.130.171:23 -> 192.168.2.23:36512
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 187.144.43.161:23 -> 192.168.2.23:45308
    Source: TrafficSnort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:36954 -> 59.10.149.168:23
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46146
    Source: TrafficSnort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:33070
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.20.187.254:23 -> 192.168.2.23:46162
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 59.10.149.168:23 -> 192.168.2.23:36954
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33732
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33732
    Source: TrafficSnort IDS: 716 INFO TELNET access 191.243.8.246:23 -> 192.168.2.23:54074
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 216.67.33.87:23 -> 192.168.2.23:59650
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 216.67.33.87:23 -> 192.168.2.23:59650
    Source: TrafficSnort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:41810
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:33824
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:33824
    Source: TrafficSnort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:42266
    Source: TrafficSnort IDS: 716 INFO TELNET access 197.210.191.131:23 -> 192.168.2.23:37156
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55340
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55340
    Source: TrafficSnort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:37128 -> 59.10.149.168:23
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:41810
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55378
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55378
    Source: TrafficSnort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:41886
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 79.127.103.72:23 -> 192.168.2.23:42702
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 79.127.103.72:23 -> 192.168.2.23:42702
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 72.71.147.108:23 -> 192.168.2.23:37168
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 72.71.147.108:23 -> 192.168.2.23:37168
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 59.10.149.168:23 -> 192.168.2.23:37128
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55432
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55432
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:41886
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.148.130.171:23 -> 192.168.2.23:36826
    Source: TrafficSnort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:42030
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55500
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55500
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:34020
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:34020
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41652
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41668
    Source: TrafficSnort IDS: 716 INFO TELNET access 113.66.237.187:23 -> 192.168.2.23:49080
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 89.237.89.162:23 -> 192.168.2.23:53210
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 89.237.89.162:23 -> 192.168.2.23:53210
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41680
    Source: TrafficSnort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:44858
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55572
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55572
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:42030
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41706
    Source: TrafficSnort IDS: 716 INFO TELNET access 106.247.163.186:23 -> 192.168.2.23:33490
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.39.191.244:23 -> 192.168.2.23:39110
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.39.191.244:23 -> 192.168.2.23:39110
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 79.127.103.72:23 -> 192.168.2.23:42916
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 79.127.103.72:23 -> 192.168.2.23:42916
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41748
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 113.66.237.187:23 -> 192.168.2.23:49080
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 113.66.237.187:23 -> 192.168.2.23:49080
    Source: TrafficSnort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:44936
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41762
    Source: TrafficSnort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:42158
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55634
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55634
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41774
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41784
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41796
    Source: TrafficSnort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:44978
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 118.45.164.195:23 -> 192.168.2.23:52726
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 118.45.164.195:23 -> 192.168.2.23:52726
    Source: TrafficSnort IDS: 716 INFO TELNET access 115.234.209.249:23 -> 192.168.2.23:41808
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55702
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55702
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:42158
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.122.227.186:23 -> 192.168.2.23:34224
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.122.227.186:23 -> 192.168.2.23:34224
    Source: TrafficSnort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:45024
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 89.237.89.162:23 -> 192.168.2.23:53378
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 89.237.89.162:23 -> 192.168.2.23:53378
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 81.82.240.55:23 -> 192.168.2.23:55748
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 81.82.240.55:23 -> 192.168.2.23:55748
    Source: TrafficSnort IDS: 716 INFO TELNET access 223.241.109.216:23 -> 192.168.2.23:42254
    Source: TrafficSnort IDS: 716 INFO TELNET access 113.66.237.187:23 -> 192.168.2.23:49284
    Source: TrafficSnort IDS: 716 INFO TELNET access 191.243.8.246:23 -> 192.168.2.23:54588
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 79.127.103.72:23 -> 192.168.2.23:43102
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 79.127.103.72:23 -> 192.168.2.23:43102
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.39.191.244:23 -> 192.168.2.23:39306
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.39.191.244:23 -> 192.168.2.23:39306
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 223.241.109.216:23 -> 192.168.2.23:42254
    Source: TrafficSnort IDS: 716 INFO TELNET access 197.210.191.131:23 -> 192.168.2.23:37636
    Source: TrafficSnort IDS: 716 INFO TELNET access 202.101.161.154:23 -> 192.168.2.23:45086
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.172.166.38:23 -> 192.168.2.23:56366
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.172.166.38:23 -> 192.168.2.23:56366
    Source: TrafficSnort IDS: 716 INFO TELNET access 81.28.168.138:23 -> 192.168.2.23:42746
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 113.66.237.187:23 -> 192.168.2.23:49284
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 113.66.237.187:23 -> 192.168.2.23:49284
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 213.149.123.81:23 -> 192.168.2.23:34336
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34044
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34048
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34054
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34058
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34064
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34074
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34088
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34094
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34098
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34102
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:54994 -> 95.213.159.92:1312
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 95.213.159.92
    Source: unknownTCP traffic detected without corresponding DNS query: 133.41.242.62
    Source: unknownTCP traffic detected without corresponding DNS query: 211.2.183.44
    Source: unknownTCP traffic detected without corresponding DNS query: 130.19.79.54
    Source: unknownTCP traffic detected without corresponding DNS query: 178.157.137.244
    Source: unknownTCP traffic detected without corresponding DNS query: 109.6.57.138
    Source: unknownTCP traffic detected without corresponding DNS query: 161.136.130.199
    Source: unknownTCP traffic detected without corresponding DNS query: 70.189.11.197
    Source: unknownTCP traffic detected without corresponding DNS query: 133.164.155.201
    Source: unknownTCP traffic detected without corresponding DNS query: 123.75.64.84
    Source: unknownTCP traffic detected without corresponding DNS query: 242.255.207.250
    Source: unknownTCP traffic detected without corresponding DNS query: 112.86.85.56
    Source: unknownTCP traffic detected without corresponding DNS query: 4.125.132.57
    Source: unknownTCP traffic detected without corresponding DNS query: 109.58.109.73
    Source: unknownTCP traffic detected without corresponding DNS query: 251.189.190.129
    Source: unknownTCP traffic detected without corresponding DNS query: 70.227.78.220
    Source: unknownTCP traffic detected without corresponding DNS query: 123.24.171.214
    Source: unknownTCP traffic detected without corresponding DNS query: 39.181.51.72
    Source: unknownTCP traffic detected without corresponding DNS query: 4.124.98.139
    Source: unknownTCP traffic detected without corresponding DNS query: 97.136.138.58
    Source: unknownTCP traffic detected without corresponding DNS query: 166.134.98.188
    Source: unknownTCP traffic detected without corresponding DNS query: 38.114.98.113
    Source: unknownTCP traffic detected without corresponding DNS query: 164.117.227.220
    Source: unknownTCP traffic detected without corresponding DNS query: 95.70.106.36
    Source: unknownTCP traffic detected without corresponding DNS query: 181.224.98.63
    Source: unknownTCP traffic detected without corresponding DNS query: 19.142.231.219
    Source: unknownTCP traffic detected without corresponding DNS query: 151.98.199.101
    Source: unknownTCP traffic detected without corresponding DNS query: 202.221.208.62
    Source: unknownTCP traffic detected without corresponding DNS query: 218.97.170.240
    Source: unknownTCP traffic detected without corresponding DNS query: 108.143.98.38
    Source: unknownTCP traffic detected without corresponding DNS query: 120.12.192.129
    Source: unknownTCP traffic detected without corresponding DNS query: 208.187.121.164
    Source: unknownTCP traffic detected without corresponding DNS query: 155.52.144.229
    Source: unknownTCP traffic detected without corresponding DNS query: 34.233.85.250
    Source: unknownTCP traffic detected without corresponding DNS query: 182.181.130.122
    Source: unknownTCP traffic detected without corresponding DNS query: 53.96.142.168
    Source: unknownTCP traffic detected without corresponding DNS query: 46.245.250.75
    Source: unknownTCP traffic detected without corresponding DNS query: 186.83.155.129
    Source: unknownTCP traffic detected without corresponding DNS query: 194.17.138.51
    Source: unknownTCP traffic detected without corresponding DNS query: 65.142.208.101
    Source: unknownTCP traffic detected without corresponding DNS query: 13.233.191.221
    Source: unknownTCP traffic detected without corresponding DNS query: 5.195.74.110
    Source: unknownTCP traffic detected without corresponding DNS query: 201.229.100.155
    Source: unknownTCP traffic detected without corresponding DNS query: 128.1.73.198
    Source: unknownTCP traffic detected without corresponding DNS query: 96.66.28.90
    Source: unknownTCP traffic detected without corresponding DNS query: 153.121.164.50
    Source: unknownTCP traffic detected without corresponding DNS query: 156.53.58.171
    Source: unknownTCP traffic detected without corresponding DNS query: 162.39.54.83
    Source: unknownTCP traffic detected without corresponding DNS query: 1.29.111.224
    Source: unknownTCP traffic detected without corresponding DNS query: 141.140.40.36
    Source: phantom.x86String found in binary or memory: http://upx.sf.net
    Source: LOAD without section mappingsProgram segment: 0xc01000
    Source: /tmp/phantom.x86 (PID: 5279)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)SIGKILL sent: pid: 936, result: successfulJump to behavior
    Source: classification engineClassification label: mal72.troj.evad.linX86@0/53@0/0

    Data Obfuscation:

    barindex
    Sample is packed with UPXShow sources
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/491/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/793/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/772/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/796/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/774/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/797/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/777/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/799/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/658/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/912/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/759/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/936/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/918/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/5279/exeJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/1/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/761/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/785/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/884/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/720/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/721/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/788/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/789/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/800/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/801/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/847/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5279)File opened: /proc/904/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/491/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/5282/exeJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/793/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/772/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/796/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/774/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/797/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/777/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/799/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/658/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/912/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/759/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/936/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/918/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/1/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/761/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/785/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/884/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/720/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/721/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/788/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/789/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/800/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/801/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/847/fdJump to behavior
    Source: /tmp/phantom.x86 (PID: 5282)File opened: /proc/904/fdJump to behavior
    Source: /usr/sbin/logrotate (PID: 5236)Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "Jump to behavior
    Source: /usr/sbin/logrotate (PID: 5245)Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslogJump to behavior
    Source: /usr/sbin/invoke-rc.d (PID: 5239)Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.serviceJump to behavior
    Source: /usr/sbin/invoke-rc.d (PID: 5243)Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.serviceJump to behavior
    Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5247)Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.serviceJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34044
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34048
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34054
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34058
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34064
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34074
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34088
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34094
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34098
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34102
    Source: /usr/sbin/logrotate (PID: 5192)Truncated file: /var/log/cups/access_log.1Jump to behavior
    Source: /usr/sbin/logrotate (PID: 5192)Truncated file: /var/log/syslog.1Jump to behavior
    Source: /usr/bin/find (PID: 5232)Queries kernel information via 'uname': Jump to behavior
    Source: 5240.20.drBinary or memory string: -9915837702310A--gzvmware kernel module
    Source: 5240.20.drBinary or memory string: -1116261022170A--gzQEMU User Emulator
    Source: 5240.20.drBinary or memory string: qemu-or1k
    Source: 5240.20.drBinary or memory string: qemu-riscv64
    Source: 5240.20.drBinary or memory string: {cqemu
    Source: 5240.20.drBinary or memory string: qemu-arm
    Source: 5240.20.drBinary or memory string: (qemu
    Source: 5240.20.drBinary or memory string: qemu-tilegx
    Source: 5240.20.drBinary or memory string: qemu-hppa
    Source: 5240.20.drBinary or memory string: q{rqemu%
    Source: 5240.20.drBinary or memory string: )qemu
    Source: 5240.20.drBinary or memory string: vmware-toolbox-cmd
    Source: 5240.20.drBinary or memory string: qemu-ppc
    Source: 5240.20.drBinary or memory string: Tqemu9
    Source: 5240.20.drBinary or memory string: qemu-aarch64_be
    Source: 5240.20.drBinary or memory string: 0qemu9
    Source: 5240.20.drBinary or memory string: qemu-sparc64
    Source: 5240.20.drBinary or memory string: qemu-mips64
    Source: 5240.20.drBinary or memory string: vV:qemu9
    Source: 5240.20.drBinary or memory string: qemu-ppc64le
    Source: 5240.20.drBinary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
    Source: 5240.20.drBinary or memory string: vmware
    Source: 5240.20.drBinary or memory string: qemu-cris
    Source: 5240.20.drBinary or memory string: libvmtools
    Source: 5240.20.drBinary or memory string: qemu-m68k
    Source: 5240.20.drBinary or memory string: qemu-xtensa
    Source: 5240.20.drBinary or memory string: 9qemu
    Source: 5240.20.drBinary or memory string: qemu-sh4
    Source: 5240.20.drBinary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
    Source: 5240.20.drBinary or memory string: .qemu{
    Source: 5240.20.drBinary or memory string: qemu-ppc64abi32
    Source: 5240.20.drBinary or memory string: qemu-ppc64
    Source: 5240.20.drBinary or memory string: qemu-i386
    Source: 5240.20.drBinary or memory string: qemu-x86_64
    Source: 5240.20.drBinary or memory string: H~6\nqemu*q
    Source: 5240.20.drBinary or memory string: @qemu
    Source: 5240.20.drBinary or memory string: Fqqemu
    Source: 5240.20.drBinary or memory string: N4qemu
    Source: 5240.20.drBinary or memory string: ~6\nqemu*q
    Source: 5240.20.drBinary or memory string: qemu-mips64el
    Source: 5240.20.drBinary or memory string: hqemu
    Source: 5240.20.drBinary or memory string: &mqemu
    Source: 5240.20.drBinary or memory string: $qemu
    Source: 5240.20.drBinary or memory string: qemu-sparc
    Source: 5240.20.drBinary or memory string: qemu-microblaze
    Source: 5240.20.drBinary or memory string: qemu-user
    Source: 5240.20.drBinary or memory string: qemu-aarch64
    Source: 5240.20.drBinary or memory string: qemu-sh4eb
    Source: 5240.20.drBinary or memory string: iqemu
    Source: 5240.20.drBinary or memory string: qemu-mipsel
    Source: 5240.20.drBinary or memory string: qemuP`
    Source: 5240.20.drBinary or memory string: qemu-alpha
    Source: 5240.20.drBinary or memory string: qemu-microblazeel
    Source: 5240.20.drBinary or memory string: \qemu
    Source: 5240.20.drBinary or memory string: qemu-xtensaeb
    Source: 5240.20.drBinary or memory string: qemu-mipsn32el
    Source: 5240.20.drBinary or memory string: SAqemu
    Source: 5240.20.drBinary or memory string: Vqemu
    Source: 5240.20.drBinary or memory string: qemu-mipsn32
    Source: 5240.20.drBinary or memory string: qemuAU
    Source: 5240.20.drBinary or memory string: qemu-riscv32
    Source: 5240.20.drBinary or memory string: qemu-sparc32plus
    Source: 5240.20.drBinary or memory string: 7,qemu
    Source: 5240.20.drBinary or memory string: qemu-s390x
    Source: 5240.20.drBinary or memory string: vmware-checkvm
    Source: 5240.20.drBinary or memory string: qemu-nios2
    Source: 5240.20.drBinary or memory string: qemu-armeb
    Source: 5240.20.drBinary or memory string: -4415868968400A--gzVMware SVGA video driver
    Source: 5240.20.drBinary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
    Source: 5240.20.drBinary or memory string: I_qemu
    Source: 5240.20.drBinary or memory string: -1116261022170B--gzQEMU User Emulator
    Source: 5240.20.drBinary or memory string: -3315837702310A--gzvmware shared library
    Source: 5240.20.drBinary or memory string: qemu-mips
    Source: 5240.20.drBinary or memory string: qemuj\
    Source: 5240.20.drBinary or memory string: {qemuQ&
    Source: 5240.20.drBinary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
    Source: 5240.20.drBinary or memory string: vmware-xferlogs

    Stealing of Sensitive Information:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Systemd Service1Systemd Service1Scripting1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsIndicator Removal on Host1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553477 Sample: phantom.x86 Startdate: 15/01/2022 Architecture: LINUX Score: 72 68 209.253.15.54 WINDSTREAMUS United States 2->68 70 209.18.212.249 VOYANTUS United States 2->70 72 98 other IPs or domains 2->72 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected Mirai 2->78 80 2 other signatures 2->80 10 systemd logrotate 2->10         started        12 systemd mandb phantom.x86 2->12         started        14 systemd install 2->14         started        16 systemd find 2->16         started        signatures3 process4 process5 18 logrotate sh 10->18         started        20 logrotate sh 10->20         started        22 logrotate gzip 10->22         started        24 logrotate gzip 10->24         started        26 phantom.x86 12->26         started        28 phantom.x86 12->28         started        30 phantom.x86 12->30         started        process6 32 sh invoke-rc.d 18->32         started        34 sh rsyslog-rotate 20->34         started        36 phantom.x86 26->36         started        38 phantom.x86 26->38         started        40 phantom.x86 28->40         started        42 phantom.x86 28->42         started        44 phantom.x86 28->44         started        process7 46 invoke-rc.d runlevel 32->46         started        48 invoke-rc.d systemctl 32->48         started        50 invoke-rc.d ls 32->50         started        52 invoke-rc.d systemctl 32->52         started        54 rsyslog-rotate systemctl 34->54         started        56 phantom.x86 36->56         started        62 2 other processes 36->62 58 phantom.x86 40->58         started        60 phantom.x86 40->60         started        process8 64 phantom.x86 56->64         started        66 phantom.x86 56->66         started       

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    phantom.x8637%VirustotalBrowse
    phantom.x8651%ReversingLabsLinux.Trojan.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netphantom.x86false
      high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      <
      IPDomainCountryFlagASNASN NameMalicious
      161.46.153.9
      unknownUnited States
      1252UNMC-ASUSfalse
      138.214.135.26
      unknownCanada
      59121AKNWS-NETAsahiKaseiNetworksCorporationJPfalse
      191.181.205.173
      unknownBrazil
      28573CLAROSABRfalse
      186.180.66.200
      unknownColombia
      27831ColombiaMovilCOfalse
      35.218.99.155
      unknownUnited States
      19527GOOGLE-2USfalse
      174.223.172.50
      unknownUnited States
      22394CELLCOUSfalse
      92.14.197.230
      unknownUnited Kingdom
      13285OPALTELECOM-ASTalkTalkCommunicationsLimitedGBfalse
      203.183.154.92
      unknownJapan4725ODNSoftBankMobileCorpJPfalse
      63.190.130.133
      unknownUnited States
      1239SPRINTLINKUSfalse
      155.106.187.197
      unknownUnited States
      7018ATT-INTERNET4USfalse
      168.165.75.76
      unknownMexico
      37179AFRICAINXZAfalse
      200.133.204.145
      unknownBrazil
      1916AssociacaoRedeNacionaldeEnsinoePesquisaBRfalse
      247.16.190.72
      unknownReserved
      unknownunknownfalse
      44.148.157.125
      unknownUnited States
      62383LDS-ASBEfalse
      146.24.28.224
      unknownUnited States
      197938TRAVIANGAMESDEfalse
      73.45.72.12
      unknownUnited States
      7922COMCAST-7922USfalse
      62.215.147.93
      unknownKuwait
      21050FAST-TELCOKWfalse
      111.197.113.115
      unknownChina
      4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
      209.253.15.54
      unknownUnited States
      7029WINDSTREAMUSfalse
      248.250.22.44
      unknownReserved
      unknownunknownfalse
      250.135.211.1
      unknownReserved
      unknownunknownfalse
      58.6.174.54
      unknownAustralia
      7545TPG-INTERNET-APTPGTelecomLimitedAUfalse
      130.227.167.221
      unknownDenmark
      9158TELENOR_DANMARK_ASDKfalse
      167.100.152.214
      unknownSaudi Arabia
      25019SAUDINETSTC-ASSAfalse
      185.57.37.64
      unknownUnited Kingdom
      202206MOTIVEGBfalse
      70.153.237.61
      unknownUnited States
      6389BELLSOUTH-NET-BLKUSfalse
      181.7.145.113
      unknownArgentina
      7303TelecomArgentinaSAARfalse
      185.255.158.224
      unknownDenmark
      60111ASOM-NETDKfalse
      35.15.136.181
      unknownUnited States
      36375UMICH-AS-5USfalse
      155.28.153.184
      unknownUnited States
      1556DNIC-ASBLK-01550-01601USfalse
      254.164.185.124
      unknownReserved
      unknownunknownfalse
      20.79.32.82
      unknownUnited States
      8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
      190.141.21.40
      unknownPanama
      18809CableOndaPAfalse
      60.168.40.14
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      27.229.140.235
      unknownJapan9605DOCOMONTTDOCOMOINCJPfalse
      136.255.15.129
      unknownRomania
      12302VODAFONE_ROCharlesdeGaullenr15ROfalse
      162.79.89.113
      unknownUnited States
      4152USDA-1USfalse
      221.64.244.54
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      36.33.212.92
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      80.36.57.53
      unknownSpain
      3352TELEFONICA_DE_ESPANAESfalse
      213.161.228.235
      unknownNorway
      15765MIMERNOfalse
      42.119.44.71
      unknownViet Nam
      18403FPT-AS-APTheCorporationforFinancingPromotingTechnolofalse
      96.132.29.69
      unknownUnited States
      7922COMCAST-7922USfalse
      221.20.125.203
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      241.254.232.178
      unknownReserved
      unknownunknownfalse
      210.48.235.19
      unknownJapan2514INFOSPHERENTTPCCommunicationsIncJPfalse
      195.129.27.188
      unknownEuropean Union
      702UUNETUSfalse
      160.75.166.103
      unknownTurkey
      9095IstanbulTeknikUniversitesiTRfalse
      193.194.39.59
      unknownMorocco
      6713IAM-ASMAfalse
      200.176.169.253
      unknownBrazil
      22548NucleodeInfeCoorddoPontoBR-NICBRfalse
      187.252.127.109
      unknownMexico
      28509CablemasTelecomunicacionesSAdeCVMXfalse
      185.11.6.125
      unknownRussian Federation
      15493RUSCOMP-ASRussiancompanyLLCInternetServiceProviderTfalse
      157.227.65.58
      unknownAustralia
      4704SANNETRakutenMobileIncJPfalse
      76.43.0.141
      unknownUnited States
      18494CENTURYLINK-LEGACY-EMBARQ-WRBGUSfalse
      157.139.187.2
      unknownUnited States
      20252JSIWMCUSfalse
      80.142.180.154
      unknownGermany
      3320DTAGInternetserviceprovideroperationsDEfalse
      48.11.58.244
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      63.155.197.20
      unknownUnited States
      209CENTURYLINK-US-LEGACY-QWESTUSfalse
      253.72.75.120
      unknownReserved
      unknownunknownfalse
      116.72.42.120
      unknownIndia
      17488HATHWAY-NET-APHathwayIPOverCableInternetINfalse
      151.219.242.134
      unknownunknown
      11003PANDGUSfalse
      133.118.92.141
      unknownJapan2522PPP-EXPJapanNetworkInformationCenterJPfalse
      169.228.186.243
      unknownUnited States
      7377UCSDUSfalse
      179.132.161.105
      unknownBrazil
      26599TELEFONICABRASILSABRfalse
      76.114.145.159
      unknownUnited States
      7922COMCAST-7922USfalse
      255.67.241.130
      unknownReserved
      unknownunknownfalse
      117.196.164.125
      unknownIndia
      9829BSNL-NIBNationalInternetBackboneINfalse
      217.60.218.162
      unknownIran (ISLAMIC Republic Of)
      31549RASANAIRfalse
      96.144.25.21
      unknownUnited States
      7922COMCAST-7922USfalse
      37.135.6.37
      unknownSpain
      12479UNI2-ASESfalse
      82.124.221.121
      unknownFrance
      3215FranceTelecom-OrangeFRfalse
      19.157.11.236
      unknownUnited States
      3MIT-GATEWAYSUSfalse
      57.137.251.6
      unknownBelgium
      2686ATGS-MMD-ASUSfalse
      223.52.70.237
      unknownKorea Republic of
      9644SKTELECOM-NET-ASSKTelecomKRfalse
      174.103.238.15
      unknownUnited States
      10796TWC-10796-MIDWESTUSfalse
      154.90.25.153
      unknownSeychelles
      26484IKGUL-26484USfalse
      116.87.137.130
      unknownSingapore
      55430STARHUB-NGNBNStarhubLtdSGfalse
      209.18.212.249
      unknownUnited States
      5006VOYANTUSfalse
      210.89.203.17
      unknownJapan7671MCNETNTTSmartConnectCorporationJPfalse
      8.127.239.179
      unknownUnited States
      3356LEVEL3USfalse
      43.24.206.124
      unknownJapan4249LILLY-ASUSfalse
      114.142.142.198
      unknownIndia
      4721JCNJupiterTelecommunicationsCoLtdJPfalse
      53.49.50.138
      unknownGermany
      31399DAIMLER-ASITIGNGlobalNetworkDEfalse
      46.154.181.7
      unknownTurkey
      15897VODAFONETURKEYTR